Building a Wireless Motion Detection System

Wireless technology is key in implementing an easy-to-use motion detection system. There is a wide range of wireless technologies for linking motion detectors to a central hub, from ISM band to ZigBee, to Wi-Fi and other Internet connected protocols, but the reliability of the wireless link is important. Devices from manufacturers such as Atmel, Silicon Labs, and NXP Semiconductors can be used in different ways to provide wireless links to a central hub as part of a robust motion detection and alarm system.

Motion detectors are becoming increasingly common, but as a result are becoming more open to all kinds of malicious attacks. This is having an impact on the design of motion sensor systems, with the wireless element key to ensuring a secure yet flexible implementation that is fit for purpose - actually able to flag when there is an intrusion.

Wireless technology is being used in many different ways in such systems. Many motion sensors are including wireless links back to a central hub, but this opens up more technology and security choices for the developer. The radio waves themselves are even being used as the motion sensors, providing more capabilities than sensors such as passive infrared.

The problem is highlighted by recent examples where thieves have drilled through walls to avoid motion sensors. One way around this problem has been developed by a US startup called Xandem. It is using the fact that the presence of a body reduces the penetration of radio waves, and so can be used to detect motion. Its tomographic motion detection (TMD) technology can sense through walls and obstructions, and senses over areas that are otherwise extremely difficult to cover. It can remain completely hidden from view, enhancing both the security and the aesthetics of the installation.

A Xandem TMD system is built with two kinds of devices: nodes and a processing unit. Multiple nodes surround the area where motion is to be detected, using mesh networking technology that senses when objects move within the area of the mesh, even through walls and obstructions. Each node is not a sensor; the mesh network connecting the nodes is the sensor. The processing unit is a gateway with normally-closed relays that connect to any standard panel to act as the hub.

Figure 1: The Xandem radio-based tomographic motion detection system.

However, it is the wireless link back from the motion sensor to the hub that is critical. Bandwidth and data rates are not as much an issue as the robustness of the link. The motion sensors are likely to be mains powered rather than battery powered, so there is not a significant power issue. The key is ensuring the result of the motion data is transferred to the hub quickly and securely to provide the alarm.

There are a number of security and robustness elements designed into protocols such as ZigBee to assist with this, as there are many different sources of interference in the 2.4 GHz band. From microwave ovens to Wi-Fi networks, there are many spurious signals that can inadvertently interfere with a security system. Then is also the protection against deliberate attack, where the 2.4 GHz band can be swamped to prevent signals getting through. Other techniques and protocols can also be used in non-standard approaches to provide robust links at different frequencies, which can serve to protect against such attacks.

Security protocols

The ZigBee protocol includes several elements to ensure the mesh network created to link the motion sensors together can be kept secure, all using 128-bit AES-CCM (Counter with CBC-MAC) link keys, secured by a master key in a common security model.

The MAC sub-layer is capable of single-hop reliable communications and, as a rule, the security level used is specified by the upper layers. The network layer manages the routing, processes received messages and is capable of broadcasting requests. Outgoing frames will use a link key according to the routing, if it is available, otherwise the network key will be used to protect the payload from external devices.

The application layer offers key establishment and transport services to both the ZigBee Device Object (ZDO) that manages the devices in the network, and to the applications. It also handles changes across the network of changes as these may come from the devices themselves, such as a simple status change, or from the trust manager that adds and removes devices from the network. All of this means that the devices themselves can be secure (and not spoofed by a rogue device being automatically attached to the network), and that the signals from the sensors can be relayed back to the hub securely without being intercepted.

Figure 2: The ZigBee security protocol stack.

There are several ways to build such a ZigBee network, from a discrete implementation to one that is highly integrated. The discrete version can allow lower costs and smaller size, although high volume system-on-chip devices are bringing the cost of integrated design down considerably.

Atmel’s discrete 2.4 GHz transceiver can be used with a low cost 8-bit AVR microcontroller, providing a high link budget of 104 dB.

Figure 3: Block Diagram of the Atmel AT86RF230.

This can be used to allow a longer distance from the central hub, or provide a stronger link that is less susceptible to interference, depending on the situation. This is supported with a programmable Output Power, ranging from -17 dBm up to 3 dBm and a receiver sensitivity of -101 dBm. Again, these are programmable and can be used to ensure that the link is kept secure from interference. One of the arguments for highly integrated devices is the reduced need for external devices, but the discrete transceiver reduces the need for external components down to the crystal oscillator, de-coupling capacitors, and antenna.

The transceiver links to the microcontroller through two GPIO lines with the registers and frame buffer, accessible through the fast SPI interface, and with one interrupt pin from the radio transceiver. The received differential RF signal is fed through the low-noise amplifier (LNA) to the RF filter to generate a complex signal. This signal is converted down by mixers to an intermediate frequency and fed to the integrated channel filter. The limiting amplifier provides sufficient gain to drive the succeeding analog-to-digital converter (ADC) and generates a digital RSSI signal with 3 dB granularity. The ADC output signal is sampled by the digital base band receiver.

The transmit modulation scheme is offset-QPSK (O-QPSK) with half-sine pulse shaping and 32-length block coding. The modulation signal is generated in the digital transmitter and applied to the fractional-N frequency synthesis PLL generating a coherent phase modulation required for demodulation of O-QPSK signals. The frequency-modulated RF signal is fed to the power amplifier. An internal 128 byte RAM buffers the data to be transmitted or the received data and two on chip low dropout (LDO) voltage regulators provide the internal analog and digital 1.8 V supply.

The differential RF port provides common-mode rejection to suppress the switching noise of the internal digital signal processing blocks and is designed for a 100 Ω differential load. At the board-level, the differential RF layout ensures high receiver sensitivity by rejecting any spurious interspersions originating from the microcontroller.

Integrated system on chip devices

For an integrated part, the EM351 from Silicon Labs combines the transceiver with a 32-bit ARM® Cortex™-M3 microprocessor, flash and RAM memory, and peripherals of use to designers of ZigBee-based systems.

The transceiver uses an efficient architecture that exceeds the dynamic range requirements imposed by the IEEE 802.15.4-2003 standard by over 15 dB. The integrated receive channel filtering allows for robust coexistence with other 2.4 GHz systems such as IEEE 802.11 Wi-Fi and Bluetooth to avoid interference.

The integrated regulator, VCO, loop filter, and power amplifier keep the external component count low, and there is an optional high performance radio mode that is software-selectable to boost dynamic range and could be used to overcome interference attacks.

Figure 4: The EM351 ZigBee system on chip from Silicon Labs.

The integrated 32-bit ARM Cortex-M3 microprocessor supports two different modes of operation—privileged mode and user mode. This architecture could allow for separation of the networking stack from the application code, and prevents unwanted modification of restricted areas of memory and registers resulting in increased stability and reliability of deployed solutions, adding to the security of the design. The EM351 has 128 kB of embedded flash memory with 12 kB of integrated RAM for data and program storage.

To maintain the strict timing requirements imposed by the ZigBee and IEEE 802.15.4-2003 standards, the EM351 integrates a number of MAC functions into the hardware, including the AES128 encryption accelerator to handle the keys and automatic CRC handling to support secure links. The MAC hardware handles automatic ACK transmission and reception, automatic back-off delay, and clear channel assessment for transmission, as well as automatic filtering of received packets to ensure that the trigger packets for the security system are received at the hub and cannot be blocked.

To support user-defined applications, on-chip peripherals include UART, SPI, TWI, ADC, and general-purpose timers, as well as up to twenty-four GPIOs. Additionally, an integrated voltage regulator, power-on-reset circuit, and sleep timer are available.

An alternative approach that sits alongside ZigBee is the JenNet protocol developed by NXP. This protocol stack runs on devices such as the JN5148-001 wireless microcontroller, and can run ZigBee networking applications.

The device features an enhanced 32-bit RISC processor offering high coding efficiency through variable width instructions, a multistage instruction pipeline, and low power operation with programmable clock speeds. It also includes a 2.4 GHz IEEE802.15.4 compliant transceiver, 128 kB of ROM, 128 kB of RAM, and a rich mix of analog and digital peripherals. The large memory footprint allows the device to run both a network stack such as ZigBee PRO and an embedded application or in a coprocessor mode. The JenNet-IP protocol (Figure 5) supports the IPv6 protocol so that the packets from the motion sensor can be routed externally from the system out to the Internet and delivered to a smartphone or table.

Figure 5: The JenNet-IP and ZigBee PRO protocols.

However, there are other unlicensed bands that can provide longer distance or stronger link budgets. The Silicon Labs Si4455 is a low current, sub-GHz transceiver that covers all the major ISM bands, with wireless motion sensing as one of the key applications. The combination of the transceiver and microcontroller can be used to implement sophisticated algorithms that will reduce false alarms, adapt to environmental disturbances, and compensate for temperature, while the ADCs, comparators, filters, real-time clocks, and temperature sensors in the microcontroller simplify the system design. Increasingly these microcontrollers are providing built-in encryption engines to support custom protection schemes without having to go to the integrated SoC devices.

Figure 6: Motion sensing using the Silicon Labs Si4455 transceiver.

One of the key advantages this provides is small size, as the package measures 3 x 3 mm and, combined with a low external BOM count, makes the Si4455 both space efficient and cost effective. The +13 dBm output power and sensitivity of –116 dBm allows for a longer operating range and stronger links and, by fully integrating all components from the antenna to the GPIO or SPI interface to the MCU, the Si4455 simplifies achieving this performance level.

Figure 7: Silicon Labs’ Si4455 discrete ISM band transceiver.

The Silicon Labs Wireless Development Suite (WDS) user interface module provides simplified programming options for a broad range of applications in an easy-to-use format that results in both a faster and lower-risk development.

The setup interface provides an easy path to quickly selecting and loading the desired configuration for the device via three different methods. One option is the configuration wizard, which identifies the optimal setup based on a few questions about the application. Another option is the configuration table, which provides a list of preloaded, common configurations while the third option is for a custom configuration to be loaded using the radio configuration application.

Figure 8: The Wireless Development Suite simplifies configuration of the radio chip.

The setup then automatically creates the configuration array that will be passed to the chip, with the option to load a sample project with the selected configuration onto the evaluation board or launch IDE with the new configuration array preloaded into the user program.

Within the configuration wizard, the user is able to define their system requirements and can see some potential trade-offs for various settings. The wizard then provides a recommended configuration that is optimized for the given application. This configuration can be further modified if needed to provide the desired setup.

In contrast, the configuration table is a list of predefined configurations that have been optimized for performance and validated by Silicon Labs. These configurations are listed for many common application conditions and so most users will be able to find the configuration they need in this table. These configurations are set to provide optimized performance for a given application and can be implemented with low design risk. Once the list item is selected, the specific frequency, power level, and packet handler features can also be applied.

The Silicon Labs Radio Configuration Application provides an intuitive interface for directly modifying the device configuration. Using this control panel, the device parameters such as modulation type, data rate, frequency deviation, and any packet related settings can be set. The EZConfig Setup then takes these parameters and automatically determines the appropriate device register settings. This method allows the user to have complete flexibility in determining the configuration of the device without the need to translate the system requirements into device specific properties. As with the other EZConfig methods, the resulting configuration array is automatically generated and available for use in the user's program.

The Si4455 can operate in the 283–350 MHz, 425–525 MHz, or 850–960 MHz bands. One of these three bands will be selected during the configuration setup and then the specific transmission frequency that will be used within this band can be selected. It supports On/Off Keying (OOK), Frequency Shift Keying (FSK), or Gaussian Frequency Shift Keying (GFSK). OOK modulation is the most basic modulation type available. It is the most power-efficient method, and does not require as high oscillator accuracy as FSK. FSK provides the best sensitivity and range performance, but generally requires more precision from the oscillator used. GFSK is a version of FSK where the signal is passed through a Gaussian filter, limiting its spectral width. As a result, the out-of-band components of the signal are reduced.

The Si4455 also has an option for Manchester coding. This method provides a state transition at each bit, and so allows for more reliable clock recovery. Manchester code is available only when using the packet handler option and, if selected, will be applied to the entire packet.

The transceiver operates as a time division duplexing (TDD) transceiver where the device alternately transmits and receives data packets. The device uses a single-conversion mixer to down convert the FSK/GFSK or OOK/ASK modulated receive signal to a low IF frequency. Following a programmable gain amplifier (PGA), the signal is converted to the digital domain by a high performance ADC allowing filtering, demodulation, slicing, and packet handling to be performed in the built-in digital modem, increasing the receiver’s performance and flexibility. The demodulated signal is output to the system MCU through a programmable GPIO or via the standard SPI bus by reading the 64-byte Rx FIFO.

A single high-precision local oscillator is used for both transmit and receive modes since the transmitter and receiver do not operate at the same time, supporting configurable data rates up to 500 kbps. The transmit FSK data is modulated directly into the data stream and can be shaped by a Gaussian low-pass filter to reduce unwanted spectral content.


Motion sensors are increasingly turning to wireless technology to provide flexible, robust communications links, and security has increased to allow this to happen. While new wireless technologies will help in improving the accuracy of the sensors themselves, there is a range of techniques to assist in keeping such devices robust and secure. From avoiding interference from other wireless sources and deliberate attacks, to providing the authentication to prevent spoof rogue devices being added to the network, the design of the wireless elements increasingly needs to take security into account. This can be provided through highly integrated system on chip devices running protocols such as ZigBee PBO or JenNet that include key management and AES 128-bit encryption, but it is just as possible with discrete transceivers and low cost microcontrollers running custom protocols and algorithms.